A lot of industries have expressed concern – or are just plain nervous – about security in the cloud, but perhaps no industry has to practice more extreme caution about putting data into the cloud than the health care industry.
It appears that concern is well justified, according to a new study from the Ponemon Institute. In an industry that is heavily regulated to protect patient privacy and other medical-related information, organizations are still lax about the security of that data when it is stored in the cloud or on mobile devices. According to the study:
Many respondents are uncertain or do not know whether these laws apply to the safeguarding of regulated data on mobile devices. As an example, 67 percent of respondents say their organization must comply with US state privacy and data breach laws yet only 18 percent believe these laws specify the protection of regulated data on mobile devices. Such perceptions result in organizations not being in compliance and facing potential regulatory fines and legal action.
The study also found that too many employees who are required to have access to protected health information (PHI) have little knowledge of the security requirements surrounding that data, as FierceMobile Healthcare pointed out:
Approximately 33 percent of respondents said that they need to access PHI to do their work. Nevertheless, only 15 percent of survey participants knew of HIPAA's security requirements for regulated data on mobile devices despite 33 percent of respondents indicating that they are part of a HIPAA covered entity.
HIPAA has addressed the concerns of cloud security and PHI with the HIPAA Omnibus Final Rule by defining that data centers and cloud providers are considered business associates and must comply with privacy and security regulations for the health care industry. (The Final Rule compliance deadline is September 23, 2013.)
In a statement, Larry Ponemon said that the devices used to access health care data aren’t secure. He’s right, up to a point. Devices have vulnerabilities. There are too many questions about how to handle cloud security. But when you look at how many employees handling the data either aren’t making an effort to be secure or don’t care or don’t know that they have to – numbers that are too high and are clearly revealed in this study – it isn’t fair to put the blame on the devices.